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Abstract 

The ^TT-calculus is a synchronous 7r-calculus which is based on the SL niodeL The 
latter is a relaxation of the Esterel model where the reaction to the absence of a signal 
' within an instant can only happen at the next instant. In the present work, we present 

^ 1 , and characterise a compositional semantics of the S'Tr-calculus based on suitable notions 

^ • of labelled transition system and bisimulation. Based on this semantic framework, we 

Q I explore the notion of determinacy and the related one of (local) confluence. 

^ ! 1 Introduction 

•/^ . Let P be a program that can repeatedly interact with its environment. A derivative of P 

is a program to which P reduces after a finite number of interactions with the environment. 
A program terminates if all its internal computations terminate and it is reactive if all its 



in 
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^ ■ derivatives are guaranteed to terminate. A program is determinate if after any finite num- 

! ber of interactions with the environment the resulting derivative is unique up to semantic 

equivalence. 

Most conditions found in the hterature that entail determinacy are rather intuitive, how- 
^ , ever the formal statement of these conditions and the proof that they indeed guarantee de- 

^ [ terminacy can be rather intricate in particular in the presence of name mobility, as available 

in a paradigmatic form in the vr-calculus. 

Our purpose here is to provide a streamlined theory of determinacy for the synchronous vr- 
calculus introduced in [2]. It seems appropriate to address these issues in a volume dedicated 
to the memory of Gilles Kahn. First, Kahn networks [13] are a classic example of concurrent 
and deterministic systems. Second, Kahn networks have largely inspired the research on 
synchronous languages such as Lustre [9] and, to a lesser extent, Esterel [6]. An intended 
side-effect of this work is to illustrate how ideas introduced in concurrency theory well after 
Kahn networks can be exploited to enlighten the study of determinacy in concurrent systems. 
Our technical approach will follow a process calculus tradition, namely: 

1. We describe the interactions of a program with its environment through a labelled tran- 
sition system to which we associate a compositional notion of labelled bisimulation. 

2. We rely on this semantic framework, to introduce a notion of determinacy and a related 
notion of confluence. 



*Work partially supported by ANR-06-SETI-010-02. 
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3. We provide local confluence conditions that are easier to check and that combined with 
reactivity turn out to be equivalent to determinacy. 

We briefly trace the path that has lead to this approach. A systematic study of determi- 
nacy and confluence for CCS is available in [T7] where, roughly, the usual theory of rewriting 
is generalised in two directions: first rewriting is labelled and second diagrams commute up 
to semantic equivalence. In this context, a suitable formulation of Newman's lemma [19], has 
been given in [11]. The theory has been gradually extended from CCS, to CCS with values, 
and finally to the vr-calculus |20j . 

Calculi such as CCS and the vr-calculus are designed to represent asynchronous systems. 
On the other hand, the S'vr-calculus is designed to represent synchronous systems. In these 
systems, there is a notion of instant (or phase, or pulse, or round) and at each instant each 
thread performs some actions and synchronizes with all other threads. One may say that 
all threads proceed at the same speed and it is in this specific sense that we will refer to 
synchrony in this work. 

In order to guarantee determinacy in the context of CCS rendez-vous communication, it 
seems quite natural to restrict the calculus so that interaction is point-to-point, i.e., it involves 
exactly one sender and one receiver^ In a synchronous framework, the introduction of signal 
based communication offers an opportunity to move from point-to-point to a more general 
multi-way interaction mechanism with multiple senders and/or receivers, while preserving 
determinacy. In particular, this is the approach taken in the Esterel and SL [8] models. 
The SL model can be regarded as a relaxation of the Esterel model where the reaction to the 
absence of a signal within an instant can only happen at the next instant. This design choice 
avoids some paradoxical situations and simplifies the implementation of the model. The SL 
model has gradually evolved into a general purpose programming language for concurrent 
applications and has been embedded in various programming environments such as C, Java, 
Scheme, and Caml (see [71 [221 [16]). For instance, the Reactive ML language [E] includes a 
large fragment of the Caml language plus primitives to generate signals and synchronise on 
them. We should also mention that related ideas have been developed by Saraswat et al. [21] 
in the area of constraint programming. 

The S'TT-calculus can be regarded as an extension of the SL model where signals can carry 
values. In this extended framework, it is more problematic to have both concurrency and 
determinacy. Nowadays, this question is frequently considered when designing various kind 
of synchronous programming languages (see, e.g., [El [TO]). As we already mentioned, our 
purpose here is to address the question with the tool-box of process calculi following the work 
for CCS and the 7r-calculus quoted above. In this respect, it is worth stressing a few interesting 
variations that arise when moving from the 'asynchronous' vr-calculus to the 'synchronous' Svr- 
calculus. First, we have already pointed-out that there is an opportunity to move from a point- 
to-point to a multi-way interaction mechanism while preserving determinacy. Second, the 
notion of confluence and determinacy happen to coincide while in the asynchronous context 
confluence is a strengthening of determinacy which has better compositionality properties. 
Third, reactivity appears to be a reasonable property to require of a synchronous system, the 
goal being just to avoid instantaneous loops, i.e., loops that take no timeU 

^Incidentally, this is also the approach taken in Kahn networks but with an interaction mechanism based 
on unbounded, ordered buffers. It is not difffcult to represent unbounded, ordered buffers in a CCS with value 
passing and show that, modulo this encoding, the determinacy of Kahn networks can be obtained as a corollary 
of the theory of confluence developed in [17) . 

■^The situation is different in asynchronous systems where reactivity is a more demanding property. For 
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The rest of the paper is structured as follows. In section [2l we introduce the S'-zr-calculus, 
in section [3l we define its semantics based on a standard notion of labelled bisimulation on a 
(non-standard) labelled transition system and we show that the bisimulation is preserved by 
static contexts, in section U] we provide alternative characterisations of the notion of labelled 
bisimulation we have introduced, in section O we develop the concepts of determinacy and 
(local) confluence. Familiarity with the vr-calculus |18| I23j. the notions of determinacy and 
confluence presented in [T7j, and synchronous languages of the Esterel family [HI [8] is 
assumed. 

2 Introduction to the /Stt- calculus 

We introduce the syntax of the STr-calculus along with an informal comparison with the 
TT-calculus and a programming example. 

2.1 Programs 

Programs P,Q,... in the Svr-calculus are defined as follows: 

P ::= I A{e) || se j| .s(x).P, K\[si = sa] A, ^^2 || [u > p]Pi,P2 \ i^s P \ Pi \ P2 
K ::= A{y) 

We use the notation m for a vector mi, . . . , m„, n > 0. The informal behaviour of programs 
follows. is the terminated thread, ^(e) is a (tail) recursive call of a thread identifier A 
with a vector e of expressions as argument; as usual the thread identifier A is defined by a 
unique equation ^(x) = P such that the free variables of P occur in x. se evaluates the 
expression e and emits its value on the signal s. s{x).P,K is the present statement which 
is the fundamental operator of the SL model. If the values vi, . . . ,Vn have been emitted on 
the signal s then s{x).P,K evolves non-deterministically into [vi/x]P for some Vi ([_/-] is our 
notation for substitution). On the other hand, if no value is emitted then the continuation 
K is evaluated at the end of the instant, [si = S2]Pi,P2 is the usual matching function of 
the vr-calculus that runs Pi if si equals S2 and P2, otherwise. Here both si and S2 are free. 
[u ^p]Pi,P2, matches u against the pattern p. We assume u is either a variable x or a value 
V and p has the shape c(x), where c is a constructor and x is a vector of distinct variables. 
We also assume that if u is a variable x then x does not occur free in Pi. At run time, u 
is always a value and we run ^Pi if ^ = match{u,p) is the substitution matching u against 
p, and P2 if such substitution does not exist (written match{u,p) ]). Note that as usual the 
variables occurring in the pattern p (including signal names) are bound in Pi. i^s P creates 
a new signal name s and runs P. (Pi | P2) runs in parallel Pi and P2. A continuation K 
is simply a recursive call whose arguments are either expressions or values associated with 
signals at the end of the instant in a sense that we explain below. We will also write pause. 
for vs s{x).0, K with s not free in K. This is the program that waits till the end of the instant 
and then evaluates K. 

instance, [11] notes: "As soon as a protocol internally consists in some kind of correction mechanism (e.g., 
retransmission in a data link protocol) the specification of that protocol will contain a r-loop". 
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2.2 Expressions 



The definition of programs relies on tlie following syntactic categories: 



Sig 

Var 

Cnst 

Vol 

Pat 

Fun 

Exp 

Rexp 




Exp) 



(signal names) 

(variables) 

(constructors) 

(values V, v' , . . .) 

(patterns p,p', . . .) 

(first-order function symbols) 

(expressions e, e', . . .) 



(exp. with deref. r,r' , . . . 



As in the vr-calculus, signal names stand both for signal constants as generated by the v 
operator and signal variables as in the formal parameter of the present operator. Variables 
Var include signal names as well as variables of other types. Constructors Cnst include *, nil, 
and cons. Values Val are terms built out of constructors and signal names. Patterns Pat are 
terms built out of constructors and variables (including signal names). If P,p are a program 
and a pattern then we denote with fn{P),fn{p) the set of free signal names occurring in them, 
respectively. We also use FV{P),FV{p) to denote the set of free variables (including signal 
names). We assume first-order function symbols f,g,... and an evaluation relation ij. such 
that for every function symbol / and values vi, . . . ,Vn of suitable type there is a unique value 
V such that f{vi, . . . ,Vn) JJ- v and fn{v) C \J^^^ ^fn{vi). Expressions Exp are terms built 
out of variables, constructors, and function symbols. The evaluation relation JJ- is extended in 
a standard way to expressions whose only free variables are signal names. Finally, Rexp are 
expressions that may include the value associated with a signal s at the end of the instant 
(which is written !s, following the ML notation for dereferenciation) . Intuitively, this value is 
a list of values representing the set of values emitted on the signal during the instant. 

2.3 Typing 

Types include the basic type 1 inhabited by the constant * and, assuming o" is a type, the 
type Sig (a) of signals carrying values of type a, and the type List (a) of lists of values of 
type a with constructors nil and cons. In the examples, it will be convenient to abbrevi- 
ate cons(fi, . . . ,cons(f„, nil) . . .) with [vi; . . . ;Vn]- 1 and List{a) are examples of inductive 
types. More inductive types (booleans, numbers, trees,. . .) can be added along with more 
constructors. We assume that variables (including signals), constructor symbols, and thread 
identifiers come with their (first-order) types. For instance, a function symbols / may have 
a type (ai, (T2) — > a meaning that it waits two arguments of type ai and 02 respectively and 
returns a value of type a. It is straightforward to define when a program is well-typed. We 
just point-out that if a signal name s has type Sig{a) then its dereferenced value \s has type 
List{a). In the following, we will tacitly assume that we are handling well typed programs, 
expressions, substitutions,. . . 

2.4 Comparison with the vr-calculus 

The syntax of the Svr-calculus is similar to the one of the vr-calculus, however there are some 
important semantic differences that we highlight in the following simple example. Assume 
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f 1 7^ V2 are two distinct values and consider the following program in Stt: 



P = usi,S2{ sivi I siV2 I ^1(3;). {si{y). {s2{z). A{x,y) ,B{lsi) ) ^) ^ ) 

If we forget about the underlined parts and we regard si, S2 as channel names then P could 
also be viewed as a 7r-calculus process. In this case, P would reduce to 

Pi = usi,S2 is2{z).A{e{x),6{y)) 

where is a substitution such that 9{x),6{y) G {^1,^2} and 6{x) ^ 6{y)- In Stt, signals 
persist within the instant and P reduces to 

P2 = usi,S2 {sTvi I 51^2 I {s2{z).A{e{x),9{y)) , B{\si) )) 

where 9{x),6{y) E {vi,V2}- What happens next? In the vr-calculus, Pi is deadlocked and no 
further computation is possible. In the S'-zr-calculus, the fact that no further computation 
is possible in P2 is detected and marks the end of the current instant. Then an additional 

N 

computation represented by the relation — > moves P2 to the following instant: 

P2^P^ = USi,S2 B{v) 

where v G {[i'i;w2], [t'2;^^i]}- Thus at the end of the instant, a dereferenced signal such as !si 
becomes a list of (distinct) values emitted on si during the instant and then all signals are 
reset. 

2.5 A programming example 

We introduce a programming example to illustrate the kind of synchronous programming that 
can be represented in the S'vr-calculus. We describe first a 'server' handling a list of requests 
emitted in the previous instant on the signal s. For each request of the shape req(s',x), it 
provides an answer which is a function of x along the signal s' . 

Server{s) = paLXise. Handle {s, Is) 

Handle{s,l) = [i>req{s',x) :: l'](s'f{x) \ Handle{s,i')), Server{s) . 

The programming of a client that issues a request x on signal s and returns the reply on 
signal t could be the following: 

Client{x, s,t) = vs' (sreq(s',x) | pause. s'(x). tx, 0) . 

3 Semantics of the ASTr-calculus 

In this section, we define the semantics of the S'vr-calculus by a 'standard' notion of labelled 
bisimulation on a 'non-standard' labelled transition system and we show that labelled bisim- 
ulation is preserved by 'static' contexts. A distinct notion of labelled bisimulation for the 
S'TT-calculus has already been studied in [2] and the following section [J] will show that the two 
notions are (almost) the same. A significant advantage of the presentation of labelled bisim- 
ulation we discuss here is that in the 'bisimulation game' all actions are treated in the same 
way. This allows allows for a considerable simplification of the diagram chasing arguments 
that are needed in the study of determinacy and confluence in section [5l 
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3.1 Actions 



The actions of the forthcoming labelled transition system are classified in the following cate- 
gories: 

act ::= a \ aux (actions) 
Q ::= T \ vt sv \ sv I N (relevant actions) 
aux ::=s?v\{E,V) (auxiliary actions) 

fi ::= T \ vt sv \ s7v (nested actions) 

The category act is partitioned into relevant actions and auxiliary actions. 

The relevant actions are those that are actually considered in the bisimulation game. They 
consist of: (i) an internal action r, (ii) an emission action I't sv where it is assumed that the 
signal names t are distinct, occur in v, and differ from s, (iii) an input action sv, and (iv) an 
action N (for Next) that marks the move from the current to the next instant. 

The auxiliary actions consist of an input action s?v which is coupled with an emission 
action in order to compute a r action and an action {E, V) which is just needed to compute 
an action A^. The latter is an action that can occur exactly when the program cannot perform 
T actions and it amounts (i) to collect in lists the set of values emitted on every signal, (ii) 
to reset all signals, and (iii) to initialise the continuation K for each present statement of the 
shape s{x).P, K. 

In order to formalise these three steps we need to introduce some notation. Let E vary 
over functions from signal names to finite sets of values. Denote with the function that 
associates the empty set with every signal name, with [M/s] the function that associates the 
set M with the signal name s and the empty set with all the other signal names, and with U 
the union of functions defined point-wise. 

We represent a set of values as a list of the values contained in the set. More precisely, 
we write v \\—M and say that v represents M ii M = {vi, . . . , Vn} and v = [v7r(i); • • • ; '^'7r(n)] 
for some permutation vr over {1, . . . ,n}. Suppose y is a function from signal names to lists 
of values. We write V \\—E if V{s) \\—E{s) for every signal name s. We also write dom{V) for 
{s I V{s) 7^ []}. If K is a continuation, i.e., a recursive call A{r), then V{K) is obtained from 
K by replacing each occurrence !s of a dereferenced signal with the associated value V{s). 
We denote with the function that behaves as V except on s where y[£/s](s) = £. 

With these conventions, a transition P ^ '^^ P' intuitively means that (1) P is suspended, 
(2) P emits exactly the values specified by E, and (3) the behaviour of P in the following 
instant is P' and depends on V. It is convenient to compute these transitions on programs 
where all name generations are lifted at top level. We write P ^ Q if we can obtain Q from 
P by repeatedly transforming, for instance, a subprogram vsP' \ P" into vs{P' \ P") where 
s^fn{P"). 

Finally, the nested actions /x, /x', . . . are certain actions (either relevant or auxiliary) that 
can be produced by a sub-program and that we need to propagate to the top level. 



3.2 Labelled transition system 

The labelled transition system is defined in table [1] where rules apply to programs whose 
only free variables are signal names and with standard conventions on the renaming of bound 
names. As usual, one can rename bound variables, and the symmetric rules for (par) and 
(synch) are omitted. The first 12 rules from (out) to (i^ex) are quite close to those of a polyadic 
TT-calculus with asynchronous communication (see \12\ [T3\ H]) with the following exception: 
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{out) 



e i}. V 



se — > se 



(in) 



P^iP\ sv) 



(=r) 



^ md 



^ match{v^p) 



[v>p]Pl,P2^0Pi 



(rec) 
(=r) 

^ ind ^ 



s{x).P,K ^ [v/x]P 

A(x) =P, e J| V 
A{e) ^ [v/x]P 

gl 7^ g2 

match{v,p) =1 

b^p]i'l,i"2 ^^2 



(corwp) D I u ^ J\ p {t}n/n(P2)^0 

Pi I P2 Pi I P2 Pi I P2 ^ Z.t (Pi' I P^) 

pAp' t^n(^) P^^P' t'^s t'en[v)\{t} 

^tP^^tP' ^t'P^^^^P' 



e ij. V V occurs in V{s) 

^^"l n 0.^ n (reset) _ l{v}/s]y ^ 
> se > 



(cont) 



s ^ dom{V) 



s{x).P,K ^ V{K) 



(par) 



P^P' 



1,2 



(Pi I P2 



E1UE2.V 



(Pi' I Pi) 



(next) 



P>vsP' P' ^ P" V \\-E 



P 



N 



vs P" 



Table 1: Labelled transition system 



rule [out) models the fact that the emission of a value on a signal persists within the instant. 
The last 5 rules from (0) to {next) are quite specific of the Svr-calculus and determine how 
the computation is carried on at the end of the instant (cf . discussion in 13. 1|) . 

The relevant actions different from r, model the possible interactions of a program with 
its environment. Then the notion of reactivity can be formalised as follows. 

Definition 1 (derivative) A derivative of a program P is a program Q such that 

p J^l^ . . . i^li^ where: n > . 

Definition 2 (reactivity) We say that a program P is reactive, if for every derivative Q 
every T-reduction sequence terminates. 
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3.3 A compositional labelled bisimulation 

We introduce first a rather standard notion of (weak) labelled bisimulation. We define =4> as: 

( (^)* ifa = r 

(^)o(^) ifa^N 
[ (=>) o (— ^) o (=>) otherwise 

This is the standard definition except that we insist on not having internal reductions after 
an N action. Intuitively, we assume that an observer can control the execution of programs 
so as to be able to test them at the very beginning of each instantH We write P ■ for 
3P' {P^P'). 

Definition 3 (labelled bisimulation) A symmetric relation TZ on programs is a labelled 
bisimulation if 

PTZQ, P^P', bn{a) n fn{Q) = 
3Q' ( Q^g', P'TZQ') 
We denote with ~ the largest labelled bisimulation. 

The standard variation where one considers weak reduction in the hypothesis {P =4> P' 
rather than P — > P') leads to the same relation. Also, relying on this variation, one can 
show that the concept of bisimulation up to bisimulation makes sense, i.e., a bisimulation 
up to bisimulation is indeed contained in the largest bisimulation. An important property of 
labelled bisimulation is that it is preserved by static contexts. The proof of this fact follows 
[2] and it is presented in appendix [Bl 

Definition 4 A static context C is defined as follows: 

C::=[]\C\P\vsC (1) 

Theorem 5 (compositionality of labelled bisimulation) If P k, Q and C is a static 
context then C[P] C[Q]. 

4 Characterisations of labelled bisimulation 

The labelled transition system presented in table [U embodies a number of technical choices 
which might not appear so natural at first sight. To justify these choices, it is therefore 
interesting to look for alternative characterisations of the induced bisimulation equivalence. 
To this end we recall the notion of contextual bisimulation introduced in [2] . 

Definition 6 We write: 

PI if ^{ P ^ ■ ) (suspension) 

P ij- if 3P' { P ^ P' and P' [ ) ( weak suspension ) 

Pi}.L if 3P' { P \ P' ) il- (L-suspension) 

This decision entails that, e.g., we distinguish the programs P and Q defined as follows: P = pause. (si©S2), 
Q = vs (pause. j4(!s) | sO | si), where A{x) = [x\> [0;l]](si © S2),si, and ©, 0, and 1 are abbreviations for 
an internal choice and for two distinct constants, respectively (these concepts can be easily coded in the 
Svr-calculus) . On the other hand, P and Q would be equivalent if we defined ^ as =5> o o 
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Obviously, P | implies P ij- which in turn implies P ij-i and none of these implications 
can be reversed (see [2]). Also note that all the derivatives of a reactive program enjoy the 
weak suspension property. 

Definition 7 (commitment) We write P \,'s if P '^^'> ■ and say that P commits to emit 
on s. 

Definition 8 (barbed bisimulation) A symmetric relation IZ on programs is a barbed 
bisimulation if whenever P TZ Q the following holds: 

(Bl) IfP^P' then 3Q' (Q ^ Q' and P' TZ Q'). 

{B2) IfP\sandP ij-L then 3Q' (Q ^ Q', Q' \ s, and PTZQ'). 

{B3) IfPi andP ^ P" then 3 Q' , Q" (Q ^ Q' , Q' [,PTZ Q', Q' ^ Q" , and P" TZ Q"). 
We denote with k,^ the largest barbed bisimulation. 

Definition 9 (contextual bisimulation) A symmetric relation TZ on programs is a con- 
textual bisimulation if it is a barbed bisimulation (conditions {Bl — 2i)) and moreover whenever 
PTZQ then 

(CI) C[P] TZ C[Q], for any static context C . 

We denote with the largest contextual barbed bisimulation. 

We arrive at the announced characterisation of the labelled bisimulation. 

Theorem 10 (characterisation of labelled bisimulation) If P,Q are reactive programs 
then P ^ Q if and only if P Q ■ 

The proof of this result takes several steps summarised in Table [2] which provides 3 equiv- 
alent formulations of the labelled bisimulation «. In [2], the contextual bisimulation in 
definition [9] is characterised as a variant of the bisimulation ~3 where the condition for the 
output is formulated as follows: 

PTZQ, PU, P^2P', {t}n/n(Q)=0 
Q Q', P'TZ Q' 

Clearly, if P is a reactive program then P Also note that the definition [2] of reactive 
program refers to the labelled transition system [1] for which it holds that P ^ {P \ sv). 
Therefore, if P is reactive then (P \ sv) is reactive too and if we start comparing two reactive 
programs then all programs that have to be considered in the bisimulation game will be 
reactive too. This means that on reactive programs the condition P is always satisfied 
and therefore that the bisimulation ~3 coincides with the labelled bisimulation considered in 

Remark 11 (on determinacy and divergence) One may notice that the notions of la- 
belled bisimulation and contextual bisimulation we have adopted are only partially sensitive 
to divergence. Let Q = r.il. be a looping program. Then il. "^c since may suspend while $7 

^On non-reactive programs, labelled bisimulation makes more distinctions than contextual bisimulation. 
For instance, the latter identifies all the programs that do not L-suspend. 
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Labelled transition systems 




Bisimulation game 




Rule (in aux) replaced by 

s{x).P,K > [v/x\P sv 




As in definition [3] 




Rule (in) removed and 
action s7v replaced by sv 


(«2) 


As above if a ^ sv. Require: 

^""^^ (p 1 -sv) n [Q 1 -sv) 




As above 


(^3) 


As above if a 7^ sv. Replace [Inp) with : 
PHQ, P ^2P' 

3g' ( ^"2 Q' AP'n Q')y 
(Q ^2 Q' AP'n iQ' 1 sv) ) 

and for a — N require: 
PTZQ, {P\S) ^P', 

S = -SlVl \ ■ ■ ■ \ -S„Vn 

30', Q" ( (0 1 s*) ^2 Q", (P 1 s") 7^ g", 

0" ^2 Q', P'TIQ') 



Table 2: Equivalent formulations of labelled bisimulation 



may not. On the other hand, consider a program such as A = t.A © r.O. Then A ~ and 
therefore A k,q and we are lead to conclude that A is a determinate program. However, 
one may also argue that A is not determinate since it may either suspend or loop. In other 
words, determinacy depends on the notion of semantic equivalence we adopt. If the latter is 
not sensitive enough to divergence then the resulting notion of determinacy should be regarded 
as a partial property of programs, i.e., it holds provided programs terminate. In practice, these 
distinctions do not seem very important because, as we have already argued, reactivity is a 
property one should always require of synchronous programs and once reactivity is in place 
the distinctions disappear. 



5 Determinacy and (local) confluence 

In this section, we develop the notions of determinacy and confluence for the STr-calculus 
which turn out to coincide. Moreover, we note that for reactive programs a simple property 
of local confluence suffices to ensure determinacy. 

We denote with e the empty sequence and with s = ai • • • a„ a finite sequence (possibly 
empty) of actions different from r. We define: 

^_ 1 ^ if s = e 

I . . . ^ if s = ai • • • a„ 

Thus s denotes a finite (possibly empty) sequence of interactions with the environment. 
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Following [T7], a program is considered determinate if performing twice the same sequence of 
interactions leads to the same program up to semantic equivalence. 

Definition 12 (determinacy) We say that a program P is determinate if for every sequence 
s, ifP^ Pi for i=l,2 then Pi ^ P2. 

Determinacy implies r-inertness which is defined as follows. 

Definition 13 (r-inertness) A program is T-inert if for all its derivatives Q, Q Q' 
implies Q Q' . 

Next, we turn to the notion of confluence. To this end, we introduce first the notions of 
action compatibility and action residual. 

Definition 14 (action compatibility) The compatibility predicate J. is defined as the least 
reflexive and symmetric binary relation on actions such that a J, /? implies that either a, (3 ^ N 
or a = P = N . 

In other words, the action is only compatible with itself while any action different from 
N is compatible with any other action different from A^Jl Intuitively, confluence is about the 
possibility of commuting actions that happen in the same instant. To make this precise we 
also need to introduce a notion of action residual a\f3 which specifies what remains of the 
action a once the action /3 is performed. 

Definition 15 (action residual) The residual operation a\P on actions is only defined if 
a I P and in this case it satisfies: 

{T ifa = (3 _ 

i't\t'sv if a = ut sv and (3 = ut's'v' 
a otherwise 

Confluence is then about closing diagrams of compatible actions up to residuals and 
semantic equivalence. 

Definition 16 (confluence) We say that a program P is confluent, if for all its derivatives 
Q: 

Q^Qi, qAq2, aiP 

3 Q3, Q4 ( Qi Q3, Q2 "=^^ Q4, Q3 ~ Q4 ) 

It often turns out that the following weaker notion of local confluence is much easier to 
establish. 

^The reader familiar with [20] will notice that, unlike in the 7r-calculus with rendez-vous communication, we 
do not restrict the compatibility relation on input actions. This is because of the particular form of the input 
action in the labelled transition system in table [1] where the input action does not actually force a program 
to perform an input. We expect that a similar situation would arise in the 7r-calculus with asynchronous 
communication. 
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Definition 17 (local confiuence) We say that a program is locally confluent, if for all its 

derivatives Q: 

Q^Qi Q^Q2 a IP 

3 Q3, Q4 ( Qi Q3, Q2 "=^^ Qa, Qz-Qi) 

It is easy to produce programs which are locally confluent but not confluent. For instance, 
A = 'si (B B where B = '§2 ® A. However, one may notice that this program is not reactive. 
Indeed, for reactive programs local confluence is equivalent to confluence. 

Theorem 18 (1) A program is determinate if and only if it is confluent. 
(2) A reactive program is determinate if and only if for all its derivatives Q: 

Q^Qu Q^Q2, ae{T,N} 
3 Qs, Qa {Qi ^ Q3, Q2 ^ Qi, Qs ~ Qi) 

The fact that confluent programs are determinate is standard and it essentially follows 
from the observation that confluent programs are r-inert. The observation that determinate 
programs are confluent is specific of the 57r-calculus and it depends on the remark that input 
and output actions automatically commute with the other compatible actions 

The part (2) of the theorem is proved as follows. First one notices that the stated condi- 
tions are equivalent to local confluence (again relying on the fact that commutation of input 
and output actions is automatic) and then following [llj one observes that local confluence 
plus reactivity entails confluence. 

We conclude this section by noticing a strong commutation property of r actions that 
suffices to entail r-inertness and determinacy. Let be Uld where Id is the identity 
relation. 

Proposition 19 A program is determinate if for all its derivatives Q: 

Q^Qi, Q^Q2 Q^Qi, Q^Q2 

3Q' iQi-^Q', Q2^Q') Q1-Q2 

This is proven by showing that the strong commutation of the r-actions entails r-inertness. 

6 Conclusion 

We have developed a framework to analyse the determinacy of programs in a synchronous 
vr-calculus. First, we have introduced a compositional notion of labelled bisimulation. Second, 
we have characterised a relevant contextual bisimulation as a standard bisimulation over a 
modified labelled transition system. Third, we have studied the notion of confluence which 
turns out to be equivalent to determinacy, and we have shown that under reactivity, confluence 
reduces to a simple form of local confluence. 

^We note that the commutation of the inputs arises in the 7r-calculus with asynchronous communication 
too, while the commutation of the outputs is due to the fact that messages on signals unlike messages on 
channels persist within an instant (for instance, in CCS, if P = a | a.b then P a.b, P b, and there is no 
way to close the diagram). 
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According to theorem [T8lf2). there are basically two situations that need to be analysed 
in order to guarantee the determinacy of (reactive) programs. (1) At least two distinct values 
compete to be received within an instant, for instance, consider: svi \ SV2 \ s{x).P,K. (2) 
At the end of the instant, at least two distinct values are available on a signal. For instance, 
consider: svi \ SV2 \ pause. ^(!s). Based on this analysis, we are currently studying an affine 
type system in the style of [15] that avoids completely the first situation and allows the second 
provided the behaviour of the continuation A does not depend on the order in which the values 
are collected. 
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A Basic properties of labelled bisimulation 

We collect some basic properties of the notion of labelled bisimulation. First, we consider a 
standard variation of the definition [3] of bisimulation where transitions are weak on both sides 
of the bisimulation game. 

Definition 20 (w-bisimulation) A symmetric relation TZ on programs is a w-bisimulation 
if 

PTZQ, P', bn{a) n fn{Q) = 

3Q' iQ^Q', P'UQ' ) 

We denote with ~^ the largest w-bisimulation. 

With respect to this modified definition we introduce the usual notion of bisimulation up 
to bisimulation 

Definition 21 (w-bisimulation up to w-bisimulation) A symmetric relation TZ on pro- 
grams is a w-bisimulation up to w-bisimulation if 

PTZQ, P^P', bn{a) n fn{Q) = 
3Q'(Q^Q', P' ^^oTZoK^Q' ) 

We denote with ~^ the largest w-bisimulation. 

Proposition 22 (1) The relation ~ is an equivalence relation. 

(2) The relations ~ and ~^ coincide. 

(3) IflZ is a w-bisimulation up to w-bisimulation then TZ Css^^. 

Proof. (1) The identity relation is a labelled bisimulation and the union of symmetric 
relations is symmetric. To check transitivity, we prove that ~ o ?a is a labelled bisimulation 
by standard diagram chasing. 

(2) By definition a w-bisimulation is a labelled bisimulation, therefore ~io^f«. To show the 
other inclusion, prove that ~ is a w-bisimulation again by a standard diagram chasing. 

(3) First note that by (1) and (2), it follows that the relation ~^ is transitive. Then one 
shows that if 7^ is a w-bisimulation up to w-bisimulation then the relation o TZ o is a 
w-bisimulation. □ 

^We recall that it is important that this notion is defined with respect to w-bisimulation. Indeed, proposition 
I22r 3) below fails if w-bisimulation is replaced by bisimulation. 



14 



A.l Structural equivalence 

In the diagram chasing arguments, it will be convenient to consider programs up to a notion of 
'structural equivalence'. This is the least equivalence relation = such that (1) = is preserved 
by static contexts, (2) parallel composition is associative and commutative, (3) us (P \ Q) = 
vs P \ Q s ^ fn{Q), (4) 'sv \ 'sv = 'sv, and (5) se = if e JJ- v. One can check for the 
different labelled transition systems we consider that equivalent programs generate exactly 
the same transitions and that the programs to which they reduce are again equivalent. 

B Proof of theorem [5] 

The theorem follows directly from the following lemma [23lf 4) . 

Lemma 23 (1) If Pi ~ i-2 o-n-d cr is an injective renaming then aPi ~ crP2. 

(2) The relation ~ is reflexive and transitive. 

(3) If Pi f» P2 then {Pi \ sv) ^ {P2 \ sv). 

(4) If Pi ^ P2 then vs Pi ^ vs P2 and {Pi \ Q) ^ {P2 \ Q). 

Proof. (1), (2) Standard arguments. 

(3) Let 7^' = {{{P I sv),{Q \ sv)) | P Q} and 7^ = 7^'U ss. We show that 7^ is a 
bisimulation. Suppose {P \ sv) • and P k, Q. There are two interesting cases to consider. 

{a = r) Suppose {P \ sv) {P' \ sv) because P ^—>- P' . By definition of the Its, we have 
that P — > {P I su) ^ {P' I "sv). By definition of bisimulation, Q =^ {Q" \ sv) ^ {Q' \ sv) 
and {P' I sv) ~ {Q' \ sv). We conclude, by noticing that then {Q \ sv) ^ {Q' \ sv). 

N sv 

{a = N) Suppose {P \ sv) — > P' . Notice that P — > {P \ sv). Hence: 

Q ^ {Q" I sv) ^ {Q'" I sv) ^ Q', {P I sv) ^ {Q" I sv) ^ {Q'" \ sv), and P' ^ Q' . 
Then {Q\sv)^Q'. 

(4) We show that TZ = {{ut {Pi \ Q),ut {P2 | Q)) | Pi « P2}U « is a labelled bisimulation 
up to the structural equivalence =. 

(r) Suppose ut {Pi | Q) — > •. This may happen because either Pi or Q perform a r action 
or because Pi and Q synchronise. We analyse the various situations. 

(r)[l] Suppose Q Q'. Then ut (P2 \ Q) ^ ut (P2 | Q') and we can conclude. 

(r)[2] Suppose Pi ^ Pi. Then P2 ^ P^ and P[ ^ P^. So ut (P2 \ Q) ^ ut (P^ | Q) and we 
can conclude. 

(r)[3] Suppose Pi ^ P{ and Q Q'. This means Q = vt' (^v \ Q") and Q' = {sv \ Q"). 

By (3), (Pi I sv) w (P2 I sv). Moreover, (Pi | sv) ^ {P{ \ sv). Therefore, (P2 | sv) ^ (P^ | 
sv) and {P{ \ sv) ~ (P2 | sv). Then we notice that the transition ut {Pi \ Q) ^ ■ = 
ut,t' {{P[ I sv) I Q") is matched by the transition z/t (P2 | Q) ^ • = z^t,t' ((P^ | sv) \ Q"). 

(r)[4] Suppose Pi ^^^^ P{ and Q ^Q'. Then P2 P^ and P{ « P2. And we conclude 
noticing that ut (P2 | Q) ^ ut,t' (P^ | Q'). 
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(out) Suppose ut {Pi I Q) •. Also assume t = ti, t2 and t' = ti, ts up to reordering so 

that the emission extrudes exactly the names ti among the names in t. We have two subcases 
depending which component performs the action. 

{out)[l] Suppose Q ^^^^ Q'. Then ut (Pa I Q) i^ta (P2 I Q') and we can conclude. 

{out)[2] Suppose Pi ^^^^ Pi. Then P2 P^ and P{ « P^. Hence ut (P2 | Q) "^^'^ 

vt2 (P2 I Q) and we can conclude. 

(in) It is enough to notice that, modulo renaming, ut [Pi \ Q) \ 'sv = ut {{Pi \ sv) \ Q) and 
recall that by (3), (Pi | 'sv) w (P2 | Iv). 

{N) Suppose vt (Pi I Q) j. Up to structural equivalence, we can express Q as vtq {Sq \ 
Iq) where Sq is the parallel composition of emissions and Iq is the parallel composition of 
receptions. Thus we have: z^t (Pi | Q) = i^t,tQ (Pi | Sq \ Iq), and vt (P2 | Q) = i^t^tq (P2 | 
Sq I Iq) assuming {tg} nfn{Pi) = for i = 1, 2. 

If vt (Pi I Q) P then P = vt, tg {P{' \ Q') where in particular, we have that (Pi | Sq) J, 

and (Pi \Sq)^ {P[ I 0). 

By the hypothesis Pi ~ P2, and by definition of bisimulation we derive that: (i) (P2 | 

Sq) ^ {P!l I Sq), (ii) {P!l I Sq) j, (iii) (P^' | Sq) ^ (P^ | 0), (iv) (Pi | Sq) « (P^' 1 Sq), and 
(v) {P[ I 0) « (P^ I 0). 

Because (Pi j Sq) and {Pl^ \ Sq) are suspended and bisimilar, the two programs must 
commit (cf. definition [7]) on the same signal names and moreover on each signal name they 
must emit the same set of values up to renaming of bound names. It follows that the program 
z^t,tQ {P2 I Sq I Iq) is suspended. The only possibility for an internal transition is that an 
emission in P2 enables a reception in Iq but this contradicts the hypothesis that z^t,tQ (Pi | 

Sq I Iq) is suspended. Moreover, (P^' | Sq \ Iq) ^ (P^ | | Q'). 
Therefore, we have that 

ut (P2 I Q) = ut,tQ (P2 I Sq I Iq) ^ ut,tQ {P!l I Sq \ Iq), 

ut,tQ {P^ I Sq I Iq) i, and ut,tQ {P^ \ Sq I Iq) ^ ut,tQ (P^ I I Q'). Now ut,tQ (Pi | Sq \ 
Iq) n ut,tQ {P^' I Sq I Iq) because (Pi | Sq) « (P^' | Sq) and ut,tQ {Pi \ Q') TI i/t,tQ (P^ | 
Q') because P{ « P^. □ 

C Proof of theorem [TO 

We start with the labelled transition system defined in table [1] and the notion of bisimulation 
in definition [3l In table El we incrementally modify the labelled transition system and/or the 
conditions in the bisimulation game. This leads to three equivalent characterisations of the 
notion of bisimulation. We prove this fact step by step. 

Lemma 24 The bisimulation ~ coincides with the bisimulation ~i. 

Proof. The only difference here is in the rule {inaux), the bisimulation conditions being 
the same. Now this rule produces an action s?v and the latter is an auxiliary action that is 
used to produce the relevant action r thanks to the rule {synch). A simple instance of the 
difference follows. Suppose P = se | s{x).Q,K and e ij. v. Then: 

P ^ se j [v/x]Q = P' and P ^1 se | {[v/x]Q \ sv) = P" . 
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In the 57r-calculus, we do not distinguish the situations where the same vahie is emitted once 
or more times within the same instant. In particular, P' and P" are structurahy equivalent 
(cf. section EU. □ 



Next, we focus on the relationships between the labelled transitions systems >i and — >2- 

In -^^2, the rule (in) is removed and in the rule {iuaux), the label slv is replaced by the label 
sv (hence the auxiliary action s?v is not used in this labelled transition system). 

Lemma 25 (1) // P -^^i P' and act ^ sv then P > 2 P' where act' = sv if act = slv, 
and act' = act otherwise. 

(2) If P -^^2 P' then P ""^^ > ! P' where act' = slv if act = sv, and act' = act otherwise. 

We also notice that 1-bisimulation is preserved by parallel composition with an emission; 
the proof is similar to the one of lemma [23^3). 

Lemma 26 If P Q then {P \ sv) {Q \ sv). 

Lemma 27 The bisimulation ~i coincides with the hisimulation ~2- 

Proof. (~i^Ri2) We check that ~i is a 2-bisimulation. li a = sv then we apply lemma [26l 
Otherwise, suppose a 7^ sv, P ~i Q, and P -^2 P' ■ By lemma 12^2). P -^1 P' . By definition 
of 1-bisimulation, 3Q' Q ^1 Q',P' Q' . By lemma[25i;i), Q ^2 Q' ■ 

(Ri2C~i) We check that «2 is a 1-bisimulation. li a = sv and P ^1 {P \ sv) then by defini- 
tion of the Its, Q — >i {Q I sv). Moreover, by definition of 2-bisimulation, {P \ sv) ^2 {Q \ sv). 
Otherwise, suppose a / sv, P «2 Q, and P -^1 P'. By lemma[25l^l), P ^2 P'- By definition 
of 2-bisimulation, 3Q' Q =^2 Q', P' ~2 Q'- By lemma [25i;2), Q ^1 Q'. □ 

Next we move to a comparison of 2 and 3 bisimulations. Note that both definitions share 
the same Its denoted with -^2- First we remark the following. 

Lemma 28 (1) If P '^2 Q and P ^ P' then 3 Q' , Q" ( Q ^2 Q\ Q" ^ Q' , P ~2 Q" , P' ~2 
Q')- 

(2) IfP^sQ then {P \ sv) ^3 {Q | sv). 

Proof. (1) If P ^ P' then P cannot perform r moves. Thus if P ^^2 Q and Q ^2 Q" then 
necessarily P ^2 Q" ■ 

(2) Again we follow the proof of lemma [23J3). Let 7^' = {{{P \ sv), {Q \ sv)) \ P ^3 Q} 
and IZ = TZ'VJ ^3. We show that 7^ is a 3-bisimulation. Suppose {P \ sv) ^\ ■ and P ^3 Q. 
There are two interesting cases to consider. 

(a = r) Suppose {P \ sv) ^2 {P' \ sv) because P ^2 P' • By definition of 3-bisimulation, 
either (i) Q ^2 Q' and P' ^3 Q' or (ii) Q ^2 Q' and P' K.3 {Q' \ sv). In case (i), {Q \ sv) ^ 
{Q' I su) and we notice that {{P' \ sv), {Q' \ sv)) € TZ. In case (ii), {Q \ sv) ^ {Q' \ sv) and 
we notice that {P' \ sv, (Q' \ sv) \ sv) G TZ and {Q' \ sv) \ sv = {Q' \ sv). 

(a = N) Suppose ((P | sv) \ S) P' . By definition of 3-bisimulation, taking S' = {sv | S) 
[Q j S') ^ Q" ^ Q', (P I 5') ^3 Q". and P' ^3 Q' ■ □ 
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Lemma 29 The bisimulation ~2 coincides with the hisimulation ~3. 

Proof. (~2^~3) We show that ~2 is a 3-bishxLulation. We look first at the condition for the 
input. Suppose P ^2 Q and P — ^2 P'- By definition of 2-bisimulation, (P | sv) {Q I sv). 
Also {P I sv) — >2 (P' I 'sv) = P' . By definition of 2-bisimulation, (Q \ 'sv) =^ (Q' \ 'sv) and 
P' = {P' I 'sv) ^2 {Q' I 'sv). Two cases may arise. 

(1) 11 Q =^ Q' then Q' | = Q' and we satisfy the first case of the input condition for 
3-bisimulation. 

(2) li Q ^ Q' then, up to structural equivalence, we satisfy the second case of the input 
condition for 3-bisimulation. 

Next we consider the condition for the end of the instant. Suppose P ^^2 Q, S = 'sivi \ ■ ■ ■ \ 

's^Vn, and {P \ S) -^2 P'- By condition (Inp), {P \ S) ^2 {Q \ S). Then, by lemma 1281^ 1). 
the condition of 3-bisimulation is entailed by the corresponding condition for 2-bisimulation 
applied to (P | S) and {Q \ S). 

(s=;3Cf»2) We show that ~3 is a 2-bisimulation. The condition (Inp) holds because of lemma 
[28lf2). The condition of 2-bisimulation for the end of the instant is a special case of the 
condition for 3-bisimulation where we take S empty. □ 



D Proof of theorem [18] and proposition [19 



First, relying on proposition 122( 3). one can repeat the proof in [17] that confluence implies 
r-inertness and determinacy. 

Proposition 30 // a program is confluent then it is T-inert and determinate. 

Proof. Let S = {{P, P') \ P confluent and P ^ P'} and define 7^ = 5U5"^. We show that 
7^ is a w-bisimulation up to w-bisimulation (cf. lemma [22^3)). Clearly TZ is symmetric. Then 
suppose P confluent and P ^ Q (the case where Q reduces to P is symmetric). If Q ^ Qi 
then P ^ Qi and Qi TZ Qi. On the other hand, if P =^ Pi then by confluence there are 
P2, Qi such that Pi ^ P2, Q ^ Qi, and P2 ^ Qi. Thus Pi 7e o Qi. 

Therefore if P is confluent and P ^ P' then P ^ P'. Also recall that if Q is a derivative 
of P then Q is confluent. Thus we can conclude that if P is confluent then it is r- inert. 

Next, we show that: 

Pi ^ P2, Pi ^ Ps, P2 ^ P4 
P3-P4 

By definition of bisimulation, 3P5 ( P2 ^ P5, P3 P5 ). By confluence, 3Pe,P7 ( P5 ^ 
Pe, P4 ^ P7, Pe ~ P7 ). By r-inertness and transitivity, P3 f« P4. 

Finally, we can iterate this observation to conclude that if P =^ • • • Pi and P ^ • • • ^ 
P2 then Pi P2. □ 



We pause to point-out the particular properties of the input and output actions in the 
labelled transition system in table [TJ It is easily verified that if P i^^^ p' then P = ut('sv \ 
P") and P' = {'sv \ P"). This entails that in the following lemma the cases that involve an 
output action are actually general up to structural equivalence. 
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Lemma 31 (input-output commutations) 

P^{P\ sv), P ^P' 



(in — t) 



[P I sv) ^ [P' I sv), P' ^ [P' I sv) 
P^{P I sv), P^{P\ 7v') 



- (P I si;) ^ (P I sv) I s_y', (P I sy) ^ (P I s'v') I sv, 

(P I sv) I = (P I 7v') I 



(oitf — r) 



(ouf — m) 



[out — out) 



lytjsv I P) (si; | P), lytjsv \ P) ^ i^tjsv \ P') 

{sv I P) ^ (sz; I P'), J^t(sw I P') -^^^ (sw I P') 



t/t(st; I P) {sv I P), i^t(si; | P) ^ t/t(si' | P) | s'v' 

{sv I P) ^ (sv I P) I 7v', iyt{sv I P) I 7v' ^^^^ {sv \ P) \ 7v' 

h't{'sTvi I S2W2 I P) ''^"^> i^t\ti (sTui I si'z;2 | P), 
i/t(sTz;i I si't;2 | J^) ''''"^> i^t\t2 (sT^'i | s^V2 \ P) 
iyt\ti (sTui I si'u2 I P) "^^^^^ "^""^i (j^y^ I I P), 

l't\t2 (sTWl I Si'W2 I P) "^^'^^^ (sY^;^ I s^y^ I p) 



Note that, up to symmetry (and structural equivalence), the previous lemma covers all 
possible commutations of two compatible actions a, (3 but the 2 remaining cases where a = (3 
and a G {r, N}. 

Proposition 32 If a program is deterministic then it is confluent. 

Proof. We recall that if P is deterministic then it is r-inert. Suppose Q is a derivative of 

P,ai/3,Q^QiandQA Q2. 

If a = /3 then the definition of determinacy implies that Qi ~ Q2. Also note that 
a\P = P\a = T and Qi ^ Qi for i = 1,2. So the conditions for confluence are fulfilled. 

So we may assume a ^ /3 and, up to symmetry, we are left with 5 cases corresponding to 
the 5 situations considered in lemma EH 

In the 2 cases where /? = r we have that Q ~ Q2 by r-inertness. Thus, by bisimulation 
Q2 Qs and Qi ~ Q3. Now a\r = a, r\a = r, and Qi ^ Qi. Hence the conditions for 
confiuence are fulfilled. 

We are left with 3 cases where a and f3 are distinct input or output actions. By using 

r-inertness, we can focus on the case where Q ^ Qi and Q ^ Q'2^ Q2- Now, by iterating 
the lemma EH we can prove that: 

Qi^TQ'i, n>l, Q^Q'2 
3Q'i {Q'^^Q'i, Q'^i^TQ'i) 

So we are actually reduced to consider the situation where Q Q'l^ Qi andQ ^ Q'2 ^ Q2. 

But then by lemma ED we have: Q'l > Q2,, Q'2 — ^ Qi, and Q^ = Q4. Then using r- 
inertness and bisimulation, it is easy to close the diagram. □ 
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This concludes the proof of the first part of the theorem (jisri)). To derive the second 
part, we rely on the following fact due to [llj . 

Fact 33 If a program is reactive and locally confluent then it is confluent. 

Thus to derive the second part of the theorem (|18r 2)) it is enough to prove. 
Proposition 34 A program is locally confluent if (and only if) for all its derivatives Q: 

Q^Qu Q^Q2, ae{T,N} 

Proof. The stated condition is a special case of local confluence thus it is a necessary 
condition. To show that it is sufficient to entail local confluence, it is enough to appeal again 
to lemma [ST] (same argument given at the end of the proof of proposition [32]) . □ 

Proof of proposition 1191 Say that P is strong confluent if it satisfies the hypotheses 
of proposition [T9l Let S = {{P,Q) \ P strong confluent and {P = Q oi P Q)}- Let 
7^ = 5 U cS"^ We show that 7^ is a bisimulation. Hence strong confluence entails r-inertness. 
Note that if P — ^ Pi, for i = 1, 2, and a is either an input or an output action then Pi = P2. 
By lemma El] and diagram chasing, we show that if P is strong confluent and P ^ Pi, for 
i = 1,2, then Pi ~ P2. This suffices to show that P is determinate (and confluent). □ 
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